General

  • Target

    6c70cd596a37b0ea2b0736f42e9c1536e4c1dc367e03c162a390c599cbaa752a

  • Size

    1.1MB

  • Sample

    230420-c7hn2ahb2z

  • MD5

    267064531f662c5ca43e1f4dfb7ffec3

  • SHA1

    63011711900246bf7d7e8c73f6feba78edd056d4

  • SHA256

    6c70cd596a37b0ea2b0736f42e9c1536e4c1dc367e03c162a390c599cbaa752a

  • SHA512

    d61b446487113edbf804581b42691fc8bacb3289131178d71e28b1694cdb402f0a6ae118df4ae87bfc36f4efa89f5f03502ea5be8d99748c97fb8080625842e4

  • SSDEEP

    12288:Py9034MJsL3fAzqR8pOJLV9WBULBMwAynRC55+jSpiqB0T9aeYl7PTSeeW+VIzUB:Py4GIzdkxVEcB7nw7+j+cwheWaemHV

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      6c70cd596a37b0ea2b0736f42e9c1536e4c1dc367e03c162a390c599cbaa752a

    • Size

      1.1MB

    • MD5

      267064531f662c5ca43e1f4dfb7ffec3

    • SHA1

      63011711900246bf7d7e8c73f6feba78edd056d4

    • SHA256

      6c70cd596a37b0ea2b0736f42e9c1536e4c1dc367e03c162a390c599cbaa752a

    • SHA512

      d61b446487113edbf804581b42691fc8bacb3289131178d71e28b1694cdb402f0a6ae118df4ae87bfc36f4efa89f5f03502ea5be8d99748c97fb8080625842e4

    • SSDEEP

      12288:Py9034MJsL3fAzqR8pOJLV9WBULBMwAynRC55+jSpiqB0T9aeYl7PTSeeW+VIzUB:Py4GIzdkxVEcB7nw7+j+cwheWaemHV

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect rhadamanthys stealer shellcode

    • Modifies Windows Defender Real-time Protection settings

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks